Skip to content

[Bug]: citrixadc_systemfile "filecontent" #1256

New issue
New issue
Open
Open
[Bug]: citrixadc_systemfile "filecontent"#1256
Labels
bug
@dimitrigeo

Description

@dimitrigeo
dimitrigeo
opened on Apr 3, 2025

Terraform Core Version

1.9.6

citrixadc Provider Version

1.43.0

Operating system

set Sensitive: true on the filecontent attribute in citrixadc_systemfile

Affected Resource(s)

Issue
When using the citrixadc_systemfile resource to upload sensitive files (e.g., certificates or .pfx files in Base64 form) to a Citrix ADC appliance, Terraform plan output displays the full filecontent attribute in plain text. This leaks sensitive data to logs or pipeline outputs, posing a security risk.

Root Cause
In Terraform, attributes that might contain secrets must be explicitly marked Sensitive: true in the provider’s schema to prevent them from appearing in plan and log outputs. Currently, the filecontent attribute in citrixadc_systemfile is not flagged as sensitive, so Terraform includes it in the plan diffs.

Desired Behavior
The filecontent attribute should be hidden by default in Terraform plan/apply logs. This is typically done by marking it as sensitive in the resource’s schema definition:

go
Copy
Edit
"filecontent": {
Type: schema.TypeString,
Sensitive: true, // Ensures Terraform won't display the attribute in plan diffs
Required: true,
...
}
Impact
Security Risk: Certificates, private keys, or .pfx content can be exposed in pipeline logs and version control systems if the plan output is stored or reviewed.

User Friction: Users must resort to complex masking or partial applies to hide secrets in the plan logs.

Recommendation
Flag filecontent (and possibly any other attributes that handle sensitive data) as Sensitive: true in the provider’s code. This ensures Terraform automatically masks or omits the attribute value from plan outputs, consistent with best practices for secret handling.

Equivalent NetScaler CLI Command

NA

Expected Behavior

NA

Actual Behavior

NA

Relevant Error/Panic Output Snippet

NA

Terraform Configuration Files

resource "citrixadc_sslcertkey" "pfx_certkey" {
for_each = {
for c in var.sslcerts : c.name => c
}

certkey = each.key

The same .pfx file for both cert & key
cert = format("/nsconfig/ssl/%s.pfx", each.key)
key = format("/nsconfig/ssl/%s.pfx", each.key)
The password is only needed if the .pfx file is password protected
password = each.value.pfxpassword != ""
passplain = each.value.pfxpassword

depends_on = [
citrixadc_systemfile.pfx_file
]
}

Steps to Reproduce

NA

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    bug

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions